Email Spoof Test | Email Pen Test
90+% of Cyber attacks start with an email, test and see why...
Enter your email address into the box above and click the button. This site will send you 5 emails that will test your email systems ability to detect falsely forged or spoofed email. Spoofed email is nearly impossible to detect by an end user so having these controls on your mail system is of critical importance to overall security. All 5 test emails are described below, intended use and liability are at the bottom of this page.
is from emailspooftest.com which has a deny all SPF, enabled DKIM, and DMARC. This email simulates spoofing a domain fully protected by SPF and DKIM. (like a bank or government site) If SPF, DKIM, and DMARC protections are working on your mail servers this email should not get to your inbox.
is from badDKIM.com which has DKIM enabled but the spoof email is not signed. If DKIM protections are working properly this email should not get to your inbox. SPF and DMARC are not configured for this domain.
is from badSPF.com which has SPF set to deny all senders. If SPF protections are working properly this email should not get to your inbox. DKIM and DMARC are not configured for this domain.
tests spoofing internal mail from the outside. It sends a mail from you to you. If internal authentication is properly set this email should not get to your inbox.
is sent from a non-existing domain "garbage000f.com". If this email gets to your inbox your email system does not perform reverse DNS lookups.
This free test tool brought to you by the
Cyber Warfare Research Team (CWRT)
Frequently Asked Questions
This site is intended to help organizations identify where their email security gaps are so that they may correct any issues. Please only use this site on systems where you have explicit written permission to do so. If misused you could get into serious legal trouble. Use at your own risk!
This site, its owners, creators, and sponsors (referred to as “we”) make this site available as a free public service to make the world a safer and more secure place to do business. We are not responsible for any damage caused by use or misuse.